[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2018-18509Date: (C)2019-06-05   (M)2023-12-22


A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 5.3CVSS Score : 5.0
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 1.4Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: NONE
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: NONEAvailability: NONE
Integrity: LOW 
Availability: NONE 
  
Reference:
http://seclists.org/fulldisclosure/2019/Apr/38
RHSA-2019:1144
http://www.openwall.com/lists/oss-security/2019/04/30/4
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1507218
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
https://www.mozilla.org/security/advisories/mfsa2019-06/
openSUSE-SU-2019:1162

CPE    118
cpe:/a:mozilla:thunderbird:11.0
cpe:/a:mozilla:thunderbird:11.0.1
cpe:/a:mozilla:thunderbird:1.0
cpe:/a:mozilla:thunderbird:38.0.1
...
CWE    1
CWE-347
OVAL    14
oval:org.secpod.oval:def:2103454
oval:org.secpod.oval:def:502634
oval:org.secpod.oval:def:502636
oval:org.secpod.oval:def:50879
...

© SecPod Technologies